Things DoD contractors should know before beginning their Journey to NIST CSF 2.0

Ever since cyber attacks on businesses have increased, Department of Defense, the U.S federal agency, has implemented numerous cybersecurity compliance regulations including CMMC security. NIST is one such cybersecurity framework put in place by the NIST.

The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework is one of the essential tools for managing cybersecurity risks throughout a business holistically. It has been accessed by more than 1.7 million organizations of various sizes, regions, and industries. It is also used abroad with nine linguistic translations and the original English. 

Overview of the NIST Cybersecurity Framework as of Right Now

The original and primary audience for the NIST CSF framework consists of U.S. Government agencies and private organizations in charge of our country’s vital infrastructure. All federal agencies must follow the framework in compliance with the 2017 presidential Executive Order 13800.

The framework was explicitly designed so that it may be used by small, medium, and large firms across a variety of industries, regardless of whether they are involved in our country’s vital infrastructure or not. They chose their level of compliance.

The NIST CSF framework comprises the five fundamental security measures of identifying, guarding, detecting, responding, and recovering. Categories and sub-categories are used to group the essential functions. Planning for incident response is heavily emphasized, as are the steps necessary to react to and recuperate from a security breach or other security issue.

Early Feedback Results Include Six Overarching Themes

On February 28, 2022, a Request For Information (RFI) calling for suggestions on how to improve the NIST and CMMC regulation Cybersecurity Architecture was released by NIST.

Three months later, on June 3, 2022, more than 130 remarks were received, examined, and arranged. Industry (81 replies) and non-profits made up the majority. Some of the responses were quite thorough and well-thought-out, validating the notion that it is, in fact, time to upgrade the framework once more. These responses were substantial enough to merit giving the framework the version 2.0 classification rather than edition 1.2.

The NIST identified the 130 comments’ commonalities, significant points of agreement, and points of disagreement through analysis and categorization, and these findings were translated into six essential themes that will direct the framework update. NIST will avoid duplicating existing comments and incorporate new ones when they are submitted. The NIST summary of comments includes information on the six themes noted below, as well as their sub-themes:

Theme 1: The main focus of the upgrade should be on upholding and enhancing the fundamental components of the cybersecurity architecture. There is a feeling that there aren’t many changes needed to the framework’s Tiers, Core, and Profiles structures.

Theme 2: Integrate the framework with ongoing NIST and other initiatives.

Theme 3: provide additional implementation guidance, which will be especially helpful for newbies and smaller enterprises.

Theme 4: Make sure the framework is still technology-neutral while being easily adaptable to various technology-related concerns, including modern developments and procedures.

Theme 5: Emphasise the value of metrics, measurement, and assessment when utilizing the cybersecurity framework.

Theme 6: When creating the update, consider various cybersecurity concerns in the supply chain.